RE: Move Ent. Certificate Authority from DC and keep certs

From: Bob Qin [MSFT] (bobqin_at_online.microsoft.com)
Date: 01/10/05 

Date: Mon, 10 Jan 2005 10:59:02 GMT

Hi Jon,

Thanks for your update.

After you backup CA and demote the DC1, you can move it to workgroup and
offline it. Please make sure that computer account is removed from ADUC.
Then you can install a new server with same name and promote it to be a DC.
At last, import the CA data on the new DC. It will act as the original CA
server.

Have a nice day!

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
      From: =?Utf-8?B?Sm9u?= <Jon@discussions.microsoft.com>
      Subject: RE: Move Ent. Certificate Authority from DC and keep certs
      Date: Sat, 8 Jan 2005 21:07:01 -0800
      Newsgroups: microsoft.public.windows.server.migration
      
      Thanks for the reply Bob,
      
      It's good to know that this procedure applies to DCs as well - I
didn't
      catch that.
      
      However, it does state that the computer name must be the same for
the new
      CA as the old. Is there any other way around this?
      
      I did not clearly state in my last post that we have two DCs in this
forest.
      DC1 and DC2. DC1 is the CA and is slated for demotion (or
virtualization if
      we can get it to succeed). DC2 holds most of the FSMO roles except
      Infrastucture and Schema, so it is more 'active' in the
domain/forest. If we
      back up DC1's CA in preparation to move it to DC2 (or another DC),
then it
      sounds like we will need to demote DC1 before taking it offline and
bringing
      a new DC1 (same computername) online to restore the CA to.
      
      With that in mind, how will the AD objects handle a new computer with
the
      same name as the old CA? Are the CA objects in AD associated with the
      computer account for the CA (e.g. SID) ?
      
      Any insights greatly appreciated!
      
      
      
      "Bob Qin [MSFT]" wrote:
      
> Hi Jon,
>
> Thanks for your posting here.
>
> To move a CA from a DC to another DC, you can refer to the article
of
> 298138.
>
> HOW TO: Move a Certification Authority to Another Server
> http://support.microsoft.com/?id=298138
>
> It also apply to Domain Controller.
>
> Have a nice day!
>
> Regards,
> Bob Qin
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> ====================================================
> When responding to posts, please "Reply to Group" via your
newsreader so
> that others may learn and benefit from your issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> --------------------
> Subject: Move Ent. Certificate Authority from DC and keep
certs
> Date: Thu, 6 Jan 2005 13:11:01 -0800
> Newsgroups: microsoft.public.windows.server.migration
>
>
> Is it possible to move an AD integrated CA installed on a DC
to
> another
> computer (AD DC or otherwise?).
>
> Our requirement is to demote an old DC with Enterprise CA
installed
> and
> rebuild the hardware for different production server roles.
>
> The only Articles I have been able to locate are:
> ID 5551515 - Manually remove Enterprise CA from 2000/3 domain
> ID 298138 - Move a CA to another server (Windows 2000,
Stand-alone)
> ID 555012 - How to move a CA to a new [DC] (this article is
written
> very
> poorly and requires three computers to accomplish).
> Much searching of newsgroups and such have not netted any
positive
> results
> yet.
>
> We have tried using VSMT but have not been successful yet.
Failing
> this, we
> may have to demote the CA server and likely revoke all active
certs
> and issue
> new ones on the new Ent CA. This will cause inturruption of
active
> services
> that use certs for secure (tunnelled, authenticated)
communciations,
> which
> could impact many users, therefore we would like to avoid
that.
>
> Moving the EntCA is a last resort option, but I want to
research it
> before
> we potentially have to use it. Any ideas, feedback, or
experience you
> can
> share would be helpful.
>
> --
> -Jon
>
>
>
      

Relevant Pages

  • RE: SMS 2003 DP on a Domain Controller
    ... For a DP to be installed you must add the DO computer account to the Domain ... same problem I was forced to install the DP in a member server, ... SMS Site Server computer account to the local Administrators goupr and it ...
    (microsoft.public.sms.setup)
  • Re: Shared fax service question...
    ... you select the "deploy fax" option when creating the computer account ... of the computer account on the SBS. ... You can also try to just install the missing link to the server by ...
    (microsoft.public.windows.server.sbs)
  • Re: Demoting DC
    ... The question you probably should be asking is how to introduce the SBS as ... You can install your SBS using the SBS media and stop at the point that it ... finishes installing just the Windows portion of the server setup. ... you can dcpromo (demote) the original server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Error installing 1st 2007 server in existing environment
    ... Do you have a computer account for "EMAIL" in AD? ... Our Exchange 2000 install is a cluster with the name ... When I run the install, the Hub access role fails with the error ... "Cannot find the computer object in Active Directory for server "EMAIL"" and ...
    (microsoft.public.exchange.setup)
  • Re: Problems replacing an old 2003 server with a new one
    ... You can't demote SBS and you cannot have 2 SBS'es on 1 network. ... install the server part first, ...
    (microsoft.public.windows.server.sbs)
Loading